Cybersecurity Whistleblowers Are Different. Here’s How to Deal With Them.

Whether increased plans to protect or incentivize whistleblowers in the U.S. or U.K. result in a surge of incident reporting remains to be seen, but compliance and legal teams should take steps now to strengthen response and investigation protocols for cybersecurity complaints.

Several agencies in recent months have taken steps to encourage whistleblowing. The Department of Justice (DOJ) in October of last year announced the launch of its Civil Cyber-Fraud Initiative to “combat new and emerging threats to the security of sensitive information and critical systems” through the use of civil enforcement actions. It emphasized the protections extended to whistleblowers who provide information to government authorities, as well as the opportunity to share in any recovery. 

Next, on January 4, 2022, the Federal Trade Commission (FTC) warned companies to remediate cybersecurity vulnerabilities caused by Log4j exposure, promising to “use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j[.]” 

Then, in a January 24, 2022 speech, Securities and Exchange Commission (SEC) Chairman Gary Gensler outlined a variety of cyber initiatives that the SEC would be rolling out involving cyber hygiene and preparedness, cyber incident reporting to the government, and disclosure to the public.  Three weeks later, the SEC announced proposed changes to its whistleblower program rules to “help ensure that whistleblowers are both incentivized and appropriately awarded for their efforts in reporting potential violations of the law to the Commission.”

The U.S. is not alone in its focus on this area.  The EU Whistleblower Directive effectively kicked off a new era of cyber whistleblower protection on December 17, 2021 by providing a new whistleblowing reporting category for the “protection of privacy and personal data, and security of networks and information systems,” and prohibiting retaliation against those who report these matters.

In light of these actions protecting and incentivizing cyber whistleblowers, here are actions compliance teams can take today.

Recognize that cybersecurity whistleblower complaints are different and treat them differently from the outset.

Companies should acknowledge from the outset that cybersecurity complaints present unique challenges to existing whistleblower compliance programs and manage them differently than more traditional reports of alleged corporate misbehavior.  Treating cybersecurity complaints differently is critical, because the initial designation and routing of a whistleblower complaint may determine the adequacy of the steps a company will ultimately take (or fail to take) to address it. 

Game out how to intake and route a cyber whistleblowing report.

New sections of the company’s code of conduct or whistleblowing guidelines will need to be developed to address recognition and routing of cyber complaints.  A cyber whistleblowing complaint may come in through any number of reporting channels, such as a hotline or web portal, the IT helpdesk, a supervisor, or even the HR director. 

Because cyber complaints can emerge from a variety of conduits, a company’s code of conduct or whistleblowing guidelines must address a series of critical, threshold questions, the answers to which will guide the behavior of employees serving in both IT and non-IT functions.  Such questions include, for example, “how are bona fide cyber whistleblower complaints to be recognized, and distinguished from more routine complaints that a system is not operating appropriately?” and “who within the company should escalate cyber complaints?” 

For many companies, answering these questions will require a conversation with their third-party hotline vendor and examination of whether the vendor’s menu-driven intake has been updated to separately include a new category for cybersecurity complaints.  Whistleblower compliance programs managed without the use of third-party reporting channels and software will require a different approach and further discussions. 

Determine who will consistently manage the company’s response to a cybersecurity whistleblower complaint.

After a cybersecurity whistleblower complaint is segregated from the other categories, an appropriate person should be designated as primarily responsible for managing the company’s response from start to finish.  There is no one-size-fits all solution for who a company should choose to serve in this vital function.  Ideal candidates may include someone in the Chief Legal Office (CLO), the Ethics or Compliance Officer (CCO), the Chief Privacy Officer (CPO) or even the Chief Information Security Officer (CISO).

The individual selected should have a general understanding of the company’s information security policies, practices and overall information technology infrastructure, and not be the subject of, or represent the unit or person purportedly responsible for, the reported cybersecurity issue.  Importantly, the whistleblower complaint manager should be able to recognize the difference between a routine security issue and failure to address a more serious or ongoing cybersecurity concern, or one about which there have been prior warnings, potentially unheeded. 

Put another way, the person should be able to separate the wheat from the chaff, identifying cyber complaints which, due to their nature or scope pose significant litigation risk and require remediation—a task that understandably may not be easy.

Start the investigation and ascertain the nature and scope of the cybersecurity concern or vulnerability at issue.

The company will need to ascertain the nature and scope of the reported cybersecurity issue, event, or vulnerability.  Cybersecurity concerns may fall into one of several categories: (a) less technical or less serious matters manageable by in-house IT or security personnel; (b) serious matters requiring the expertise of a third-party security consultant; or (c) matters that, due to the unique circumstances under which they arise, warrant the use of an outside forensics company, engaged under privilege, and who may also be willing to act as expert witness later, if needed.  Company IT personnel are generally a great first option for addressing reported vulnerabilities that fall into the first category, due to their deep knowledge of the company’s information technology architecture and, of course, cost efficiencies achieved by using their services, instead of third-party vendors.  

There may be circumstances under which in-house personnel are ill-equipped to diagnose the extent or severity of a reported cybersecurity problem, or who should not play a lead role due to their alleged or suspected involvement in it.  Under these circumstances, the company may want to engage third party forensic or other experts to assess the nature and scope of the reported cybersecurity problem.

Take appropriate steps to preserve the attorney-client privilege, especially if forensic or expert assistance is brought in to assist.

If, as is often the case, the company obtains legal advice during its response to a serious cybersecurity whistleblower complaint, it should employ the practices it uses in the ordinary course to preserve the attorney-client privilege, and evaluate whether other measures are necessary.  The question of privilege commonly arises when regulators or plaintiffs attempt to compel discovery of forensic reports generated in the wake of a cybersecurity incident.  Companies generally oppose such disclosure, on the grounds that, among other things, such reports are prepared by experts to aid in the provision of legal advice.  

As a general matter, courts tasked with deciding whether such reports are privileged tend to differentiate between those generated for the purpose of helping the company make a business decision and those developed to help counsel provide legal advice.  As a result, companies and their legal advisors should decide the purpose of forensic expert advice and reports early on, and intentionally structure their practices and the terms of their engagement with a forensic company to preserve the attorney-client privilege.

This is normally done with critical language in the MSA, SOW and/or attorney engagement letter of the forensic company conveying the precise purpose for which the forensic company’s services are obtained.  Most forensic companies already have model language to this effect prepared or that can be negotiated.  A company may also want to consider retaining expert vendors with no prior relationship with the company, or executing new engagement letters with existing experts, which make clear that they are separately retained to assist counsel in providing legal advice in connection with a whistleblower complaint and will perform duties distinguishable from those set forth in existing contracts/agreements.

Document and monitor resolutions of a cyber whistleblowing matter.

While some aspects of cyber investigations will be similar to other types of whistleblowing inquiries, there are unique technical and other features that will play into the findings and remediation, if any.  However such matters are to be resolved, it is critical that the documentation be adequate and supportable.  Because of the potential system, infrastructure, logging, access control, vulnerability identification and remediation practices that will likely be involved, those drafting a report may have to draw on internal reports, back-ups, forensic findings, nuances and language, and perhaps even address witness credibility issues in some cases.  This will be a challenge for many companies, necessitating a process – such as the one described herein – capable of yielding a well-founded conclusion.  Obviously, this process must also observe the usual non-retaliation prohibitions against whistleblower employees and others.  Once completed, ongoing monitoring will also be necessary, to avoid a repeat problem that triggers a government enforcement action or private lawsuit.

In addition, the company must determine whether it has any disclosure obligations to the board, a regulator or government agency, investors, partners, affiliates, or contracting parties.  Sometimes the company code of conduct or whistleblowing guidelines will identify these obligations, and, in other instances, regulatory regimes may dictate them.  In advising the company, counsel should be mindful that the federal regulatory environment is a very fluid one, as agencies evaluate how to use their existing authorities to respond to cybersecurity threats and police the adequacy of company cyber security practices. 

Facilitate an ongoing dialogue between the Chief Legal, Compliance and Information Security Functions.

Finally, representatives of the chief legal, compliance and information security offices should have an ongoing dialogue regarding the organization’s cyber resiliency, resource allocation, vulnerability identification and management, cybersecurity incidents, and the expanding enforcement landscape.  Doing so provides a helpful forum for identifying and addressing, in advance, issues that could otherwise mature into a whistleblowing report.  If there ever is oversight, this interdisciplinary dialogue would help demonstrate to a reviewing body that the organization is taking cybersecurity and whistleblowing complaints seriously.

Conclusion

There is no such thing as perfect cybersecurity or limitless cyber budgets.  Every organization must make challenging decisions about resource allocation to information technology and information security.  With that said, a rejected request for funding combined with a data security incident is a recipe for a whistleblower complaint, particularly where the reporting employee or function may be under scrutiny for the breach in question.  Through strong cyber hygiene and a well-crafted, appropriately resourced whistleblower compliance program, companies are better positioned to reduce the risk of a data security incident, as well as preemptively identify and address potential concerns before they become full-blown whistleblower complaints, which can then take on a life of their own.